CVE Vulnerabilities

CVE-2023-42282

Server-Side Request Forgery (SSRF)

Published: Feb 08, 2024 | Modified: Oct 09, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
9.8 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

Name Vendor Start Version End Version
Ip Fedorindutny * 1.1.9 (excluding)
Ip Fedorindutny 2.0.0 (including) 2.0.0 (including)
HawtIO 4.0.0 for Red Hat build of Apache Camel 4 RedHat nodejs-ip *
Migration Toolkit for Virtualization 2.5 RedHat migration-toolkit-virtualization/mtv-console-plugin-rhel9:2.5.6-4 *
NETWORK-OBSERVABILITY-1.6.0-RHEL-9 RedHat network-observability/network-observability-cli-rhel9:v1.6.0-66 *
NETWORK-OBSERVABILITY-1.6.0-RHEL-9 RedHat network-observability/network-observability-console-plugin-rhel9:v1.6.0-66 *
NETWORK-OBSERVABILITY-1.6.0-RHEL-9 RedHat network-observability/network-observability-ebpf-agent-rhel9:v1.6.0-66 *
NETWORK-OBSERVABILITY-1.6.0-RHEL-9 RedHat network-observability/network-observability-flowlogs-pipeline-rhel9:v1.6.0-66 *
NETWORK-OBSERVABILITY-1.6.0-RHEL-9 RedHat network-observability/network-observability-operator-bundle:1.6.0-78 *
NETWORK-OBSERVABILITY-1.6.0-RHEL-9 RedHat network-observability/network-observability-rhel9-operator:v1.6.0-66 *
Red Hat OpenShift Dev Spaces 3 Containers RedHat devspaces/code-rhel8:3.17-19 *
RHODF-4.15-RHEL-9 RedHat odf4/mcg-core-rhel9:v4.15.0-68 *
Node-ip Ubuntu bionic *
Node-ip Ubuntu devel *
Node-ip Ubuntu esm-apps/bionic *
Node-ip Ubuntu esm-apps/focal *
Node-ip Ubuntu esm-apps/jammy *
Node-ip Ubuntu focal *
Node-ip Ubuntu jammy *
Node-ip Ubuntu mantic *
Node-ip Ubuntu noble *
Node-ip Ubuntu oracular *
Node-ip Ubuntu upstream *

References